Attacks on ezPublish installs ? Blank Users registered

Friday 23 September 2005 4:42:18 am

Hi,
since some weeks, i experience issues with 2 public ezPublish 3.4 installations.
Now and then (every few days), someone seems to try to login the user site and then tries 17 times to register a user.
The registration fails and creates 17 blank users, including the mails to the admin mail adress and mails to the (blank) user email adress, which get returned to the sender (server) mail adress.

First, i thought, that this is a user, which has some problems to register an account, but it happened at least 3 times with EXACTLY the same "click pattern", according to the apache logfile.
This makes me think, that this is an attack or at least something "scripted".
My next guess was a search engine spidering the page, but there is no "Browser Agent" reported, either.

This is what happens (i replaced actual URLs)

204.38.36.89 - - [23/Sep/2005:12:08:36 +0200] "GET / HTTP/1.1" 200 10179 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:37 +0200] "GET /<defaultsiteaccesname>/<4th item in the top level menu> HTTP/1.1" 200 13360 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:39 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 9971 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:41 +0200] "POST /<defaultsiteaccesname>/user/login HTTP/1.1" 200 10773 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:42 +0200] "GET /<defaultsiteaccesname>/<1st item in the latest-items-box> HTTP/1.1" 200 12029 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:43 +0200] "GET /<defaultsiteaccesname>/user/register HTTP/1.1" 200 11923 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:08:46 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:50 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:54 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:57 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:08:59 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:02 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:05 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:08 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:11 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:14 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:16 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:19 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:22 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:24 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:27 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:29 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:32 +0200] "POST /<defaultsiteaccesname>/user/register HTTP/1.1" 302 208 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:34 +0200] "GET /<defaultsiteaccesname>/intern HTTP/1.1" 200 9976 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:36 +0200] "GET /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 9939 "-" "-"
204.38.36.89 - - [23/Sep/2005:12:09:38 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10476 "http://<domain>/" "-"
204.38.36.89 - - [23/Sep/2005:12:09:39 +0200] "POST /<defaultsiteaccesname>/user/forgotpassword HTTP/1.1" 200 10075 "http://<domain>/" "-"
No further request after this.

As you see, the client does 17 POSTs to user/register. I thought, it would be a manual register, which accounters this bug: http://ez.no/bugs/view/7185 .
But: The client does not request the "user registration successfull" HTML page, which he should see, even after an unsucessful page.
Instead, he POSTS to the same page 17 times, with a 2-3 seconds delay.
Also, the referrer URL is sometimes not set, where i think, a normale webbrowser should set it. The most strange thing: There is no user agent reported!!

As i said, the click pattern, from the first GET / to the 17 POSTS, including the 2-3 seconds delay, are identical for at least 3 "events".

My question:
Did you experience something similar? Do you think, this is a scripted attack or some kind of "friendly" robot?
It does not take down the site or so, but it created blank user accounts and the corresponding mails.

Target sites run 3.4.2 and 3.4.4 at the moment.

Marco
http://www.hyperroad-design.com